Risk Update

Risk Developments — Law Firm Hit with High HIPAA Fines, ABA on Choice of Law for Multijurisdictional Ethics

New York Law Firm Pays $200,000 to State AG to Resolve HIPAA Violations” —

  • “A New York law firm that suffered a LockBit ransomware attack has agreed to pay a financial penalty of $200,000 to the New York Attorney General to resolve alleged violations of New York General Business Law and the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA).”
  • “On or around Christmas Day 2021, the LockBit ransomware gang gained access to its network and encrypted files. The investigation confirmed that files were exfiltrated in the attack, including legal documents, patient lists, and medical records. The patient information included names, birthdates, medical histories, treatment information, Social Security numbers, and health insurance information.”
  • “The investigation confirmed the LockBit gang gained access to its network in November 2021 by exploiting unpatched Microsoft Exchange vulnerabilities.”
  • “The incident was investigated by the Office of the New York Attorney General to determine whether the law firm had violated state laws and the HIPAA Rules. The NY AG determined the vulnerabilities exploited by the LockBit gang had been identified by Microsoft in April and May 2021 and patches had been released shortly thereafter to fix those vulnerabilities. Despite the vulnerabilities being well known, they remained unpatched for more than 6 months, which left firm’s email server vulnerable to attack.”
  • “The NY AG determined 17 provisions of the HIPAA Privacy and Security Rules had been violated and there were also violations of New York General Business law by failing to implement reasonable security practices to protect private information and the failure to issue timely notifications to 61,438 New York residents.”

ABA Outlines Choice-of-Law Issues for Multijurisdictional Ethics” —

  • “A lawyer won’t be disciplined if their conduct complies with the rules of a jurisdiction where the attorney reasonably believes their conduct will have the most predominant effect, the American Bar Association clarified on Wednesday.”
  • “The ABA clarification, issued as a formal opinion on Wednesday, highlights that litigation and non-litigation matters are treated separately for the purposes of determining which disciplinary authorities govern certain alleged misconduct, and which rules are applicable.”
  • “Model Rule 8.5 in the ABA Model Rules of Professional Conduct dictates that, when there is a choice-of-law question in a case before a tribunal and a lawyer practices law in multiple jurisdictions, the lawyer must comply with the rules associated with the location of the tribunal. Conduct before a tribunal is considered under the disciplinary authority of the jurisdiction in which the tribunal sits, the association said.”
  • “In matters for which there is no litigation in effect, a lawyer’s conduct is determined by the location in which the predominant effect is felt, regardless of where the attorney practices law, the opinion says.”
  • “The rule stands firm when applied to fee agreements, law firm ownership, reporting professional misconduct, confidential duties, and screening attorneys making lateral firm moves, according to the ABA’s Standing Committee on Ethics and Professional Responsibility.”